The personal blog of Peter Lee a.k.a. "China Hand"... Life is a comedy to those who think, a tragedy to those who feel, and an open book to those who read. You are welcome to contact China Matters at the address chinamatters --a-- prlee.org or follow me on twitter @chinahand.

Friday, April 13, 2012

The CEIEC incident is only the most visible of a blizzard of hacks against Chinese sites conducted under the aegis of "Anonymous China." I speculate that these hacks are, if not organized, encouraged or incentivized by the US government as a shot across the bow against China for the PRC's sizable industrial espionage program targeting American corporations such as President Obama's high-tech BFF, Google.

I would advise casual readers not to satisfy their curiosity by searching for the CEIEC files and downloading them. At least one of the documents contains a nasty exploit buried in the bloated header of a Word document; it apparently enables remote operation of the infected computer as a spam-bot or worse.

Anti-virus software identifies the nasty as 2010-3333, which is the target of an elderly Microsoft patch. However, this seems to be something new and improved. Microsoft's security software misses it completely; Sophos software locates it but can't remove it. This is especially galling/ironic because a Sophos guy did a podcast noting the rise in incidence of 2010-3333 but blamed it on lazy users not installing the patch.

Au contraire, my British friend. It looks like Sophos is getting pwned here, not just Mr. Irresponsible Enduser.

So stay away from those CEIEC files.

Something worth looking at and, I'm assuming, safe as milk, is a Youtube video that Hardcore Charlie recommends as accompaniment to viewing the CEIEC dump (whether he is also aware that "2010-3333" from the files is simultaneously burrowing into the vulnerable innards of one's computer is an open question).

The clip is a montage from Coppola's Apocalypse Now illustrating a song by German thrash metal giants Sodom. It's pretty effective.

Hardcore Charlie also likes to quote lyrics from German industrial rockers KMFDM. Here's an official band video from a song of theirs that breaks the Godwin Rule by equating George Bush with Hitler, also rather effective.

"Hardcore Charlie" by the way, derives his web alias from a "death card" apparently distributed by members of the 101st Airborne during the first Iraq War. We know this because he quotes the card's motto:

Compliments of Hardcore Charlie - 3rd BN 502 Infantry - When you care enough to send the very best - AIR ASSAULT.

Military historian Herb Friedman posted a picture of the card about ten years ago, in a fascinating discussion of death cards.

Did you know U.S.Playing Card Co. provided all Ace of Spade packs of Bicycle cards to US military personnel in Vietnam for the purposes of corpse decoration/psyops? Friedman quotes the manufacturer as saying:

The Death Card or Ace of Spades was considered bad luck by the Viet Cong. This is the story that I got first-hand from one of the lieutenants who originated the idea. He had read an article in the Stars & Stripes indicating that the Vietnamese were a very superstitious people and that the men were afraid of the Ace of Spades. The French previously had occupied Indo-China, and in French fortune telling cards, the Spades predicted death and suffering. It also seems that a statue of a woman foretold a "bad day" and there was some belief that the Viet Cong even regarded lady liberty as a goddess of death.

Anyways, this guy, along with three of his fellow-lieutenants were playing cards with one of our Bicycle decks, which fortunately they liked to use, and they noticed that the Bicycle Ace of Spades had a statue of a woman in the middle of it, so they figured that this was a potentially good psychological operations weapon. So they contacted the United States Playing Card Company and we sent them thousands of the requested decks gratis to our troops in Vietnam. These decks were housed in plain white tuck cases, inscribed "Bicycle Secret Weapon: Ace of Spades."

The troops started using them, basically as calling cards. And then all their friends wanted some. And eventually, the military asked us to produce a deck that had fifty-two Bicycle Aces of Spades. The cards were deliberately scattered in the jungle and in hostile villages during raids. The very sight the "Bicycle" Ace was said to cause many Viet Cong to flee.

In another anecdote, Friedman makes it clear that the psychological trauma was a two-way street:

Katherine Keane was a Red Cross “Donut Dolly” in Viet Nam from 1967 to 1968. She was assigned to the Red Cross Recreation Center in Nha Trang. She told me that many of the soldiers coming into the center appeared to have some form of PTSD. She believed they were being treated locally in an Army medical center. One sat down next to her and she expected a pleasant talk about home and what it was like to be in Vietnam. Instead, he pulled out a handful of photographs to show her. She said:

“Here” he said. ‘Look here.” He pulled a stack of Polaroid pictures out of his cargo pocket. He laid the pictures down in front of me one by one. The first showed a dead Vietnamese with an Ace of Spades stuck in his mouth. I was completely unprepared to see this. He continued laying them down, one next to another. The next showed a group of dead Vietnamese with the Ace of Spades stuck in their mouths. The next showed the Ace of Spades apparently stuck into the man’s chest with some kind of stick. The last showed the Ace of Spades nailed into a man’s forehead. He seemed to have the pictures in some sort of order of brutality. I couldn’t believe what I was seeing. He offered to let me pick and keep one picture but I declined. He seemed relieved. I would have broken up his collection. Then he handed me a sewn patch depicting an Ace of Spades that I did accept.

That's what real war looks like.

Here's the text of my Asia Times piece on US-China cyberwar (go to the AT piece for the links):

The high-profile intrusion into the e-mail server of China Electronics Import & Export Corporation by "Hardcore Charlie" may mark the coming out party for America's own band of patriotic hackers.

Documents obtained through the hack were posted on file-sharing sites. For the most part, they are a bewildering grab bag of seemingly inconsequential documents. One folder contains regulations concerning the privatization of public universities in Vietnam; another reveals the monthly salary of an English teacher working for Ivanhoe Copper in Myanmar.

Then there are the somewhat more disturbing documents: pages and pages of spreadsheets and US military Acrobat files detailing the recent movements of the quaintly-named "jingle trucks" operated by local companies delivering supplies to the network of US facilities inside Afghanistan. The documents are not marked secret, and the US government has apparently still not taken steps to remove them from the file-sharing services a week after they were posted.

In a web statement, Hardcore Charlie justified his hack with the assertion that China was passing sensitive information to America's enemies, including the Taliban. In a pastiche of English, Spanish, obscenities and racist references, he stated:

CEIEC, for its part, issued a denial equally deficient in grammatical polish, stating:

CEIEC solemnly declares as below:
The information reported is totally groundless, highly subjective and defamatory. It is believed that rumors stop at wiser.

CEIEC reserves the right to take legal action against the relevant responsible individuals and institutions. [1]

Observers noted the apparent incongruity of CEIEC asserting it had not been hacked ... but reserving the right to take legal action.

The Chinese version is somewhat less incoherent, but only slightly. It appears that CEIEC may be trying to say that it is taking issue with the allegations - for instance, that CEIEC is passing on the information to bad guys in Ukraine, Syria, Russia and the Taliban - while skating past the question of whether it was actually hacked. [2]

CEIEC is described as a "defense contractor" in foreign coverage. However, this may be overstating the case somewhat. CEIEC is one of the ancient import/export corporations set up under the Ministry of Foreign Trade 30 years ago. It did a booming business when international trade was a monopoly of the government import/export corporations, and still benefits from its government ties in handling foreign aid projects and administering international tenders.

At the same time, it has successfully reinvented itself as a prime contractor on overseas projects and, in terms of gross revenue, is one of China's bigger companies.

CEIEC is not an industrial enterprise with its own manufacturing capability. It has targeted the defense electronics sector, as an integrator and prime contractor, apparently hoping to supply systems to China's allies overseas. Whatever it has on its servers, it is probably not the crown jewels of China's defense establishment.

But the question of how the minutiae of US military truck transport in Afghanistan ended up on CEIEC's servers remains a mystery. The CEIEC case does highlight a remarkable trend in international hacking - the appearance of non-government auxiliaries in cyber-war battles.

China is notorious for its interest in cyber-war as an asymmetric counter to the conventional military superiority of the United States ... and for its apparent willingness to farm out, encourage, or benefit from private hacker initiatives.

On 2010, Mara Hvistendahl wrote in Foreign Policy:

[T]he hacking scene in China probably looks more like a few intelligence officers overseeing a jumble of talented - and sometimes unruly - patriotic hackers. Since the 1990s, China has had an intelligence program targeting foreign technology, says James A Lewis, senior fellow for cyber-security and Internet policy at the Center for Strategic and International Studies. Beyond that, however, things get complicated. "The hacking scene can be chaotic," he says. "There are many actors, some directed by the government and others tolerated by it. These actors can include civilian agencies, companies, and individuals." [3]

Patriotic hackers in China are called "hong ke" or "red guest", a pun on the phonetic rendering "hei ke" or "black guest" for hacker.

Their patriotic cyber-duties included destroying the online presence of South Korean boy band Super Junior after an unruly and undignified crowd of Chinese fans clamored to hear the band at the Shanghai World Expo and embarrassed Chinese nationalists. [4]

They also weigh in on foreign issues of greater moment, mixing it up with their Japanese counterparts when Sino-Japanese passions are inflamed by visits to the Yasukuni Shrine or the collision between a Chinese fishing boat and Japanese coast guard vessel off Diaoyutai/Senkaku in 2011.

But their major utility to the Chinese government may be their ability to generate chaff - a barrage of cyber-attacks to distract and overwhelm US security specialists trying to cope with China's pervasive, professional program of industrial and military espionage - and give the People's Republic of China (PRC) government deniability when hacking is traced to a Chinese source.

Chinese industrial cyber-espionage has emerged as a dominant near-term security concern of the United States.

The Barack Obama administration went public with its case against China in November 2011, with a report on industrial espionage titled Foreign Economic Collection. It described China rather generously as a "Persistent Collector" given the PRC's implication in several high-profile industrial espionage cases and soft-pedaled the issue of official Chinese government involvement. The report stated:

US corporations and cyber-security specialists also have reported an onslaught of computer network intrusions originating from Internet Protocol (IP) addresses in China, which private sector specialists call "advanced persistent threats." Some of these reports have alleged a Chinese corporate or government sponsor of the activity, but the IC [intelligence community] has not been able to attribute many of these private sector data breaches to a state sponsor. Attribution is especially difficult when the event occurs weeks or months before the victims request IC or law enforcement help. [5]

A month later, in December 2011, US criticism of China became a lot more pointed. Business Week published an exhaustive report on Chinese cyber-espionage, clearly prepared with the cooperation of federal law enforcement authorities as it named and described several investigations:

The hackers are part of a massive espionage ring codenamed Byzantine Foothold by US investigators, according to a person familiar with efforts to track the group. They specialize in infiltrating networks using phishing e-mails laden with spyware, often passing on the task of exfiltrating data to others.

Segmented tasking among various groups and sophisticated support infrastructure are among the tactics intelligence officials have revealed to Congress to show the hacking is centrally coordinated, the person said. US investigators estimate Byzantine Foothold is made up of anywhere from several dozen hackers to more than one hundred, said the person, who declined to be identified because the matter is secret. [6]

United States security boffin Richard Clarke had this to say about Chinese cyber-espionage in an interview with Smithsonian magazine:

"I'm about to say something that people think is an exaggeration, but I think the evidence is pretty strong," he tells me. "Every major company in the United States has already been penetrated by China."

"What?"

"The British government actually said [something similar] about their own country."

Clarke claims, for instance, that the manufacturer of the F-35, our next-generation fighter bomber, has been penetrated and F-35 details stolen. And don't get him started on our supply chain of chips, routers and hardware we import from Chinese and other foreign suppliers and what may be implanted in them-"logic bombs," trapdoors and "Trojan horses," all ready to be activated on command so we won't know what hit us. Or what's already hitting us. [7]

Some big numbers are being thrown around to publicize the Chinese threat.

Business Week's report, while admitting the woolliness of its methodology, stated that losses to American companies from international cyber-espionage amounted to US$500 billion in a single year.

Scott Borg, director of a non-profit outfit called the US Cyber Consequences Unit told Business Week:

"We're talking about stealing entire industries ... This may be the biggest transfer of wealth in a short period of time that the world has ever seen."

Beyond these apocalyptic economic and military scenarios, we might also descend to the personal and political and point out that Google, a favorite target of Chinese cyber-attacks, is Obama's friend, indispensable ally, brain trust and source of personnel in the high-tech sector.

Connect the dots, and it is clear that the Obama administration, in its usual meticulous way, is escalating the rhetoric and preparing the public and the behind-the-scenes groundwork for major pushback against China in the cyber-arena.

Beyond moves in the legal arena such as the aggressive prosecution of the DuPont industrial espionage case - alleging that China orchestrated a program to steal DuPont's titanium dioxide technology - it is interesting to speculate what other moves the Obama administration might make.

The United States is undoubtedly already doing its best to penetrate China's government, military and scientific networks.

How could the US escalate, especially in the industrial and commercial sphere, where the US mindset is that everything worthwhile the Chinese have was stolen from us, so what's worth stealing back?

Maybe the answer is cyber-harassment, turning a blind eye - or actively egging on - non-government hackers to embarrass, inconvenience, humiliate and perhaps even destabilize the Chinese regime.

Consider this April 4 report by Emil Prodalinski at ZDNet on an explosion in hacking against China since a Twitter account was launched on March 30:

The hacktivist group Anonymous now has a Chinese branch. An Anonymous China Twitter account was created late last month ... Boy have they been busy. Hundreds of Chinese government, company, and other general websites have been hacked and defaced in the span of a few days. A couple have also had their administrator accounts, phone numbers, and e-mail addresses posted publicly. On the hacked sites, the group even posted tips for how to circumvent the Great Firewall of China.

A long Pastebin post lists all the websites that were targeted. It contains 327 websites in total, but an updated list, also on Pastebin, brings that number to 485. Most of these websites are operational once again, but many have been defaced a second time after they were brought back. Not all of them were hacked and defaced; some were treated with more viciousness than others. [8]

Prodalinski subsequently wrote that the attacks had not abated and China, in an interesting case of public relations jiu jitsu, was using the campaign as evidence that it was one of the world's many victims of cyber-misbehavior (and, by implication, not a major perpetrator):

While Anonymous was not specifically mentioned, it's obvious what China's Ministry of Foreign Affairs was referring to during a briefing on Thursday, given the events during the last week. "First of all, China's Internet is open to all, users enjoy total freedom online. China has gained 500 million netizens and 300 million bloggers in a very short period of time, which shows the attraction and openness of China's Internet," spokesman Hong Lei said in a statement, according to CNN. "Secondly, the Chinese government manages the Internet according to law and regulations. Thirdly, certain reports prove again that China is a victim of Internet hacker attacks." [9]

It will be interesting to see how sympathetic the Obama administration will be if the Chinese government begins squealing to it about this outbreak of anti-PRC hacking.

The current Anonymous hacks have been of remarkably unimpressive and uninteresting Chinese sites - like the Taoyuan Bureau of Land and Resources. One can wonder if escalation to more tempting, juicier and more sensational targets is in the future. [10]

My speculation is that the campaign of cyber-attacks against Chinese targets was seeded by the US government, but has gathered its own momentum and is drawing in freelance foreign and some Chinese hackers searching for lulz - the hacker term for giggles or detached/callous amusement.

Let us now return to the perpetrator of the most spectacular hack to date - Hardcore Charlie - and if his postings reveal anything about his motivations.

Hardcore Charlie's web persona displays a military bent. His web alias derives from a death card (a specially printed playing card with an intimidating message sometimes placed on an enemy corpse by US servicemen) associated with the US Army's 101st Airborne Division: "Compliments of Hardcore Charlie - 3rd BN 502 Infantry - When you care enough to send the very best - AIR ASSAULT." [11]

Hardcore Charlie's postings also quote lyrics on a military theme, from "Marines" by the German thrash metal band Sodom. He recommends reading the files to the accompaniment of a Youtube videomontage of Francis Ford Coppola's Vietnam epic film Apocalypse Now, using Sodom's "Napalm in the Morning" as the soundtrack.

But perhaps there's something more going on here than pro-military pro-freedom enthusiasm. Sodom is an avowedly anti-war band that toured Vietnam, even though it was denied permission to play there, so it could learn more about the war and its aftermath.

Two more bumpers in the postings quote KMFDM, German industrial rockers (and, unfortunately sometimes a favorite band of alienated and murderous high-schoolers such as Eric Harris, the Columbine shooter) with what one could characterize as a vigorous anti-American government stance.

From another KMFDM song, New American Century, another quote: ... LOVE THY NEIGHBOR TURN HIM IN.. its called PATRIOTISM ...

Interesting, especially when one considers how Hardcore Charlie, in apparently his only media availability, with Reuters, was described: The hacker, who uses the name Hardcore Charlie and said he was a friend of Hector Xavier Monsegur, the leader-turned- informant of the activist hacking group, LulzSec ... [13]

Rewind to March 2012: Key members of the hacking collective known as LulzSec were arrested Tuesday morning, a move authorities are calling "devastating to the organization". According to an exclusive report by Foxnews.com LulzSec's alleged ringleader, Hector Xavier Monsegur of New York City, helped authorities with the arrest. [14]

As for LulzSec, it was an ad hoc hacker collective spun off from Anonymous (the same grouping bedeviling China under the Anonymous China hashtag) by Monsegur. Its sensational 50-day career in 2011 was described by PC Magazine:

May 7 - Lulz Security [claims] to have gotten ahold of a database of contestants from the Fox TV show X Factor. Lulzsec follows up a few days later with more sales and internal data gleaned from Fox.com.

May 30 - After hacks of Sony in Japan and a British ATM database, Lulzsec scores its first big publicity coup by posting a fake story on the PBS website, which claimed that Tupac Shakur was alive and well in New Zealand.

June 2 - Lulzsec posts personal data for more than a million users from a handful of Sony websites, …

June 3 - The "Lulz Boat" sets a course for the government, targeting security organizations that work with the FBI and other agencies …

June 13-20 - Lulzsec appears to be hitting its stride, with a busy week hacking into the US. Senate's website, stealing the account information of more than 200,000 users from video game maker Bethesda, claiming to have temporarily brought down the CIA's website, and going after more security agencies in the US. and UK.

June 23 - In protest of Arizona's controversial anti-immigration law, Lulzsec posts internal documents and information from the state's Department of Public Security. [15]

Lulzsec closed shop at the end of June 2011, when an asset in England was arrested. It appears that was not enough to elude the bloodhounds of the Federal Bureau of Investigation or forestall Monsegur's betrayal of his associates.

Careful readers may find their interest piqued by the fact that Fox News, which got the exclusive on the arrests in 2012, were the first hacked in 2011.

Pattern-oriented readers might consider whether the sudden eruption of Lulzsec resembles the cyber flashmob that is currently swarming Chinese sites.

Contrarian readers might find it interesting that the focus of hacking seems to have done a 180-degree turn away from American government, security and corporate targets to tormenting their Chinese equivalents (despite the limited lulz obtainable when hacking a site whose language one does not understand).

Curious readers might also wonder if information from Monsegur has helped the authorities get "Hardcore Charlie" in their sights and he is hacking into Chinese websites either at their behest to help get the Anonymous China ball rolling or is pre-emptively demonstrating his utility and eagerness to please.

In any case, the cat's out of the bag.

The order of battle in the cyber-armies of China and the United States has been completed by the arrival of the volunteer militias to serve next to the professionals.